Information Security Management is a broad category, yet it is a very important area to a practicing accounting firm. The term Information Security relates to activities surrounding the protection of information and information infrastructure assets against the risks of loss, misuse, damage, disclosure,or theft. Information Security Management is the term to describe the collections of controls which an organization uses to ensure it is managing these risks.

Public accountants are well versed in the protection of financial assets and internal controls but in many cases the same does not hold true for the protection of information. Like the components of the fraud triangle; Motivation (sometimes named Pressure), Rationalization, and Opportunity; the area of Information Security Management has its own triad concepts of Confidentiality, Integrity, and Availability, sometimes referred to as C-I-A. A graphical representation of this triad along with the common components which assist in the creation of a secure environment is found in figure 1 below.

Figure 1: Information Security Components (Graphic Source - Wikipedia, http://en.wikipedia.org/wiki/CIA_triad#Key_concepts) The C-I-A triad is defined within the context of the ISO 27002 standard on Information Security Management. The C-I-A triangle is defined as:1. The preservation of confidentiality by ensuring that information is accessible only to those authorized to have access2. Integrity in safeguarding the accuracy and completeness of information and the processing methods, and3. Availability in ensuring that authorized users have access to information and associated assets when required.The ISO 27002 standard then moves beyond the core concepts of the triad to further refine information security management into twelve main components:* risk assessment;* security policy;* organization of information security;* asset management;* human resources security;* physical and environmental security;* communications and operations management;* access control;* information systems acquisition, development and maintenance;* information security incident management;* business continuity management; and* compliance.

Within each of these sections, information security controls and their objectives are specified and outlined. Implementation guidance is also provided in the document. Like internal controls for accounting, specific controls are not mandated since each organization is expected to conduct its own risk assessment to determine what is appropriate for their circumstances. Just like in financial accounting, it would be impossible to list every conceivable control for every type of organization in a single standard. The standard is really a set of best practices from which an organization can draw upon to ensure they are protecting their information technology assets properly.

The ISO standard further defines each of these areas as follows:1. Risk assessment – being accountants this speaks for itself2. Security policy – management direction and policy statements related to information technology3. Organization of Information Security – the governance of information security and who is responsible.4. Asset management – the inventory and classification of information assets in an organization5. Human resources security – the security aspects of employees joining, moving, and leaving an organization6. Physical and environmental security – the protection of the computer facilities and the environment the computer facilities operate in7. Communications and operations management – the management of technical security controls in systems and networks.8. Access control – the restrictions and permissions granting access rights to networks, systems, applications, functions, and data9. Information systems acquisition, development, and maintenance – the building of security into software applications to provide controls within the software10. Information security incident management – anticipating and responding appropriately to information security breaches when and if they should occur.11. Business continuity management – the process and procedures for protecting, maintaining, and recovering business critical processes and systems in the event of a catastrophe12. Compliance – ensuring conformance with information security policies, standards, laws, and regulations imposed by governing authorities.Most accounting firms are probably not looking closely at their Information Security Management. Given that there are standards and guidance available to help implement an Information Security Management infrastructure, what should accounting firms be doing to improve their Information Management security?

Firms should become familiar with the ISO 27002 standards and best practices as well as looking at best practices promulgated by our professional associations. A risk assessment should be undertaken to see what areas are the highest security risks. Once the high-risk areas are figured out the firm should create a plan to address these areas starting with the most significant security vulnerabilities and working down the list to the less risky issues.

As the plan is developed, the firm can use professional association best practices guidance along with the ISO 27002 suggested best practices to development controls to correct the issues found. These controls may result in changes to the way information is handled by employees in the organization. It may also change the type of information the firm collects from clients, vendors, and other entities.

After the controls are put in place, the firm should re-evaluate the controls to ensure that the control is functioning appropriately and has corrected the vulnerability. Periodically after these new controls are put in place the firm should test the controls to make sure they are still being followed by employees. The frequency of the control evaluation for any particular fix to a security issues should take place very frequently soon after the controls are put in place and then less frequently as time goes on. The reason is that habits are formed after 30 to 45 days of use. A verification of a control is more effective if done frequently after the control is put in place so employees get use to using the new control and do not revert back to the old ways of doing things. After the habit is developed the control should still be tested to ensure that employees continue to follow the process or to determine if the process has been modified in an attempt to bypass the control.

Periodically controls should be re-evaluated to ensure they continue to provide the level of risk reduction expected of the control or to determine if other vulnerabilities have occurred which need to have new or different controls established. This re-evaluation should be planned into the risk assessment which brings the organization full circle in a continuous improvement cycle. Because new security issues develop and new risks emerge from changes in technology, Information Security Management becomes a ongoing and regular part of a firms technology cycle.

Sometimes a firm may need to seek outside competent help in determining if the controls they have in place are functioning properly and are configured properly. A consultant may need to be brought in to do assessments of vulnerabilities or controls to ensure the firm is reaching its goals in mitigating the risks identified by the firm. A consultant may also be needed to help develop some of the internal controls to mitigate the risks identified by the firm. IT consultants can sometimes provide this service or you may need to have specialized security consultants help define the risks and help to mitigate the risks. There are many professional security associations who have professionals which can assist a firm in identifying and addressing security issues.

Information security management is about evaluating the risks of loss, misuse, damage, disclosure, and theft of company information and putting in place the controls to prevent these things from happening. Public accounting firms have several legal requirements imposed on them about protecting the privacy of their client’s information. As such, we have to always be vigilant in evaluating the risks associated with the data we keep and how we keep it. The failure to do so would at a minimum prove embarrassing to the firm and at the maximum puts the firm’s survival into question. Public Accounting firms must continuously monitor and use the tools of ISO 27002 along with those available from our professional associations to ensure we have properly mitigated the risks associated with the information we use and store.

John D. Anderson, CPA.CITP, CIA, MCP, MSA; is the Information Technology Services Group Manager at Weidmayer, Schneider, Raham & Bennet, a large, local CPA firm in Ann Arbor, MI. His experience includes Citrix, Windows 200 Server, Internet Information Services, Lotus Notes/Domino, Cisco Pix, SonicWall, and Trend MicroNeaTSuite products as well as dozens of accounting software packages used by CPA firms and their clients. He joined the firm after completing a Masters Degree in Accounting from Eastern Michigan University.

He speaks at national computer user meetings and is very well respected for his activity on ARNE [the Accountants Resource Network], an Internet bulletin board system sponsored by Thomson Reuters.